keypin.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479
  1. /* Copyright (c) 2014, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. #define KEYPIN_PRIVATE
  4. #include "orconfig.h"
  5. #include "compat.h"
  6. #include "crypto.h"
  7. #include "crypto_format.h"
  8. #include "di_ops.h"
  9. #include "ht.h"
  10. #include "keypin.h"
  11. #include "siphash.h"
  12. #include "torint.h"
  13. #include "torlog.h"
  14. #include "util.h"
  15. #include "util_format.h"
  16. #ifdef HAVE_UNISTD_H
  17. #include <unistd.h>
  18. #endif
  19. #ifdef HAVE_FCNTL_H
  20. #include <fcntl.h>
  21. #endif
  22. #ifdef _WIN32
  23. #include <io.h>
  24. #endif
  25. /**
  26. * @file keypin.c
  27. * @brief Key-pinning for RSA and Ed25519 identity keys at directory
  28. * authorities.
  29. *
  30. * This module implements a key-pinning mechanism to ensure that it's safe
  31. * to use RSA keys as identitifers even as we migrate to Ed25519 keys. It
  32. * remembers, for every Ed25519 key we've seen, what the associated Ed25519
  33. * key is. This way, if we see a different Ed25519 key with that RSA key,
  34. * we'll know that there's a mismatch.
  35. *
  36. * We persist these entries to disk using a simple format, where each line
  37. * has a base64-encoded RSA SHA1 hash, then a base64-endoded Ed25519 key.
  38. * Empty lines, misformed lines, and lines beginning with # are
  39. * ignored. Lines beginning with @ are reserved for future extensions.
  40. */
  41. static int keypin_journal_append_entry(const uint8_t *rsa_id_digest,
  42. const uint8_t *ed25519_id_key);
  43. static int keypin_check_and_add_impl(const uint8_t *rsa_id_digest,
  44. const uint8_t *ed25519_id_key,
  45. const int do_not_add,
  46. const int replace);
  47. static int keypin_add_or_replace_entry_in_map(keypin_ent_t *ent);
  48. static HT_HEAD(rsamap, keypin_ent_st) the_rsa_map = HT_INITIALIZER();
  49. static HT_HEAD(edmap, keypin_ent_st) the_ed_map = HT_INITIALIZER();
  50. /** Hashtable helper: compare two keypin table entries and return true iff
  51. * they have the same RSA key IDs. */
  52. static inline int
  53. keypin_ents_eq_rsa(const keypin_ent_t *a, const keypin_ent_t *b)
  54. {
  55. return tor_memeq(a->rsa_id, b->rsa_id, sizeof(a->rsa_id));
  56. }
  57. /** Hashtable helper: hash a keypin table entries based on its RSA key ID */
  58. static inline unsigned
  59. keypin_ent_hash_rsa(const keypin_ent_t *a)
  60. {
  61. return (unsigned) siphash24g(a->rsa_id, sizeof(a->rsa_id));
  62. }
  63. /** Hashtable helper: compare two keypin table entries and return true iff
  64. * they have the same ed25519 keys */
  65. static inline int
  66. keypin_ents_eq_ed(const keypin_ent_t *a, const keypin_ent_t *b)
  67. {
  68. return tor_memeq(a->ed25519_key, b->ed25519_key, sizeof(a->ed25519_key));
  69. }
  70. /** Hashtable helper: hash a keypin table entries based on its ed25519 key */
  71. static inline unsigned
  72. keypin_ent_hash_ed(const keypin_ent_t *a)
  73. {
  74. return (unsigned) siphash24g(a->ed25519_key, sizeof(a->ed25519_key));
  75. }
  76. HT_PROTOTYPE(rsamap, keypin_ent_st, rsamap_node, keypin_ent_hash_rsa,
  77. keypin_ents_eq_rsa);
  78. HT_GENERATE2(rsamap, keypin_ent_st, rsamap_node, keypin_ent_hash_rsa,
  79. keypin_ents_eq_rsa, 0.6, tor_reallocarray, tor_free_);
  80. HT_PROTOTYPE(edmap, keypin_ent_st, edmap_node, keypin_ent_hash_ed,
  81. keypin_ents_eq_ed);
  82. HT_GENERATE2(edmap, keypin_ent_st, edmap_node, keypin_ent_hash_ed,
  83. keypin_ents_eq_ed, 0.6, tor_reallocarray, tor_free_);
  84. /**
  85. * Check whether we already have an entry in the key pinning table for a
  86. * router with RSA ID digest <b>rsa_id_digest</b> or for ed25519 key
  87. * <b>ed25519_id_key</b>. If we have an entry that matches both keys,
  88. * return KEYPIN_FOUND. If we find an entry that matches one key but
  89. * not the other, return KEYPIN_MISMATCH. If we have no entry for either
  90. * key, add such an entry to the table and return KEYPIN_ADDED.
  91. *
  92. * If <b>replace_existing_entry</b> is true, then any time we would have said
  93. * KEYPIN_FOUND, we instead add this entry anyway and return KEYPIN_ADDED.
  94. */
  95. int
  96. keypin_check_and_add(const uint8_t *rsa_id_digest,
  97. const uint8_t *ed25519_id_key,
  98. const int replace_existing_entry)
  99. {
  100. return keypin_check_and_add_impl(rsa_id_digest, ed25519_id_key, 0,
  101. replace_existing_entry);
  102. }
  103. /**
  104. * As keypin_check_and_add, but do not add. Return KEYPIN_NOT_FOUND if
  105. * we would add.
  106. */
  107. int
  108. keypin_check(const uint8_t *rsa_id_digest,
  109. const uint8_t *ed25519_id_key)
  110. {
  111. return keypin_check_and_add_impl(rsa_id_digest, ed25519_id_key, 1, 0);
  112. }
  113. /**
  114. * Helper: implements keypin_check and keypin_check_and_add.
  115. */
  116. static int
  117. keypin_check_and_add_impl(const uint8_t *rsa_id_digest,
  118. const uint8_t *ed25519_id_key,
  119. const int do_not_add,
  120. const int replace)
  121. {
  122. keypin_ent_t search, *ent;
  123. memset(&search, 0, sizeof(search));
  124. memcpy(search.rsa_id, rsa_id_digest, sizeof(search.rsa_id));
  125. memcpy(search.ed25519_key, ed25519_id_key, sizeof(search.ed25519_key));
  126. /* Search by RSA key digest first */
  127. ent = HT_FIND(rsamap, &the_rsa_map, &search);
  128. if (ent) {
  129. tor_assert(fast_memeq(ent->rsa_id, rsa_id_digest, sizeof(ent->rsa_id)));
  130. if (tor_memeq(ent->ed25519_key, ed25519_id_key,sizeof(ent->ed25519_key))) {
  131. return KEYPIN_FOUND; /* Match on both keys. Great. */
  132. } else {
  133. if (!replace)
  134. return KEYPIN_MISMATCH; /* Found RSA with different Ed key */
  135. }
  136. }
  137. /* See if we know a different RSA key for this ed key */
  138. if (! replace) {
  139. ent = HT_FIND(edmap, &the_ed_map, &search);
  140. if (ent) {
  141. /* If we got here, then the ed key matches and the RSA doesn't */
  142. tor_assert(fast_memeq(ent->ed25519_key, ed25519_id_key,
  143. sizeof(ent->ed25519_key)));
  144. tor_assert(fast_memneq(ent->rsa_id, rsa_id_digest, sizeof(ent->rsa_id)));
  145. return KEYPIN_MISMATCH;
  146. }
  147. }
  148. /* Okay, this one is new to us. */
  149. if (do_not_add)
  150. return KEYPIN_NOT_FOUND;
  151. ent = tor_memdup(&search, sizeof(search));
  152. int r = keypin_add_or_replace_entry_in_map(ent);
  153. if (! replace) {
  154. tor_assert(r == 1);
  155. } else {
  156. tor_assert(r != 0);
  157. }
  158. keypin_journal_append_entry(rsa_id_digest, ed25519_id_key);
  159. return KEYPIN_ADDED;
  160. }
  161. /**
  162. * Helper: add <b>ent</b> to the hash tables.
  163. */
  164. MOCK_IMPL(STATIC void,
  165. keypin_add_entry_to_map, (keypin_ent_t *ent))
  166. {
  167. HT_INSERT(rsamap, &the_rsa_map, ent);
  168. HT_INSERT(edmap, &the_ed_map, ent);
  169. }
  170. /**
  171. * Helper: add 'ent' to the maps, replacing any entries that contradict it.
  172. * Take ownership of 'ent', freeing it if needed.
  173. *
  174. * Return 0 if the entry was a duplicate, -1 if there was a conflict,
  175. * and 1 if there was no conflict.
  176. */
  177. static int
  178. keypin_add_or_replace_entry_in_map(keypin_ent_t *ent)
  179. {
  180. int r = 1;
  181. keypin_ent_t *ent2 = HT_FIND(rsamap, &the_rsa_map, ent);
  182. keypin_ent_t *ent3 = HT_FIND(edmap, &the_ed_map, ent);
  183. if (ent2 &&
  184. fast_memeq(ent2->ed25519_key, ent->ed25519_key, DIGEST256_LEN)) {
  185. /* We already have this mapping stored. Ignore it. */
  186. tor_free(ent);
  187. return 0;
  188. } else if (ent2 || ent3) {
  189. /* We have a conflict. (If we had no entry, we would have ent2 == ent3
  190. * == NULL. If we had a non-conflicting duplicate, we would have found
  191. * it above.)
  192. *
  193. * We respond by having this entry (ent) supersede all entries that it
  194. * contradicts (ent2 and/or ent3). In other words, if we receive
  195. * <rsa,ed>, we remove all <rsa,ed'> and all <rsa',ed>, for rsa'!=rsa
  196. * and ed'!= ed.
  197. */
  198. const keypin_ent_t *t;
  199. if (ent2) {
  200. t = HT_REMOVE(rsamap, &the_rsa_map, ent2);
  201. tor_assert(ent2 == t);
  202. t = HT_REMOVE(edmap, &the_ed_map, ent2);
  203. tor_assert(ent2 == t);
  204. }
  205. if (ent3 && ent2 != ent3) {
  206. t = HT_REMOVE(rsamap, &the_rsa_map, ent3);
  207. tor_assert(ent3 == t);
  208. t = HT_REMOVE(edmap, &the_ed_map, ent3);
  209. tor_assert(ent3 == t);
  210. tor_free(ent3);
  211. }
  212. tor_free(ent2);
  213. r = -1;
  214. /* Fall through */
  215. }
  216. keypin_add_entry_to_map(ent);
  217. return r;
  218. }
  219. /**
  220. * Check whether we already have an entry in the key pinning table for a
  221. * router with RSA ID digest <b>rsa_id_digest</b>. If we have no such entry,
  222. * return KEYPIN_NOT_FOUND. If we find an entry that matches the RSA key but
  223. * which has an ed25519 key, return KEYPIN_MISMATCH.
  224. */
  225. int
  226. keypin_check_lone_rsa(const uint8_t *rsa_id_digest)
  227. {
  228. keypin_ent_t search, *ent;
  229. memset(&search, 0, sizeof(search));
  230. memcpy(search.rsa_id, rsa_id_digest, sizeof(search.rsa_id));
  231. /* Search by RSA key digest first */
  232. ent = HT_FIND(rsamap, &the_rsa_map, &search);
  233. if (ent) {
  234. return KEYPIN_MISMATCH;
  235. } else {
  236. return KEYPIN_NOT_FOUND;
  237. }
  238. }
  239. /** Open fd to the keypinning journal file. */
  240. static int keypin_journal_fd = -1;
  241. /** Open the key-pinning journal to append to <b>fname</b>. Return 0 on
  242. * success, -1 on failure. */
  243. int
  244. keypin_open_journal(const char *fname)
  245. {
  246. /* O_SYNC ??*/
  247. int fd = tor_open_cloexec(fname, O_WRONLY|O_CREAT|O_BINARY, 0600);
  248. if (fd < 0)
  249. goto err;
  250. if (tor_fd_seekend(fd) < 0)
  251. goto err;
  252. /* Add a newline in case the last line was only partially written */
  253. if (write(fd, "\n", 1) < 1)
  254. goto err;
  255. /* Add something about when we opened this file. */
  256. char buf[80];
  257. char tbuf[ISO_TIME_LEN+1];
  258. format_iso_time(tbuf, approx_time());
  259. tor_snprintf(buf, sizeof(buf), "@opened-at %s\n", tbuf);
  260. if (write_all(fd, buf, strlen(buf), 0) < 0)
  261. goto err;
  262. keypin_journal_fd = fd;
  263. return 0;
  264. err:
  265. if (fd >= 0)
  266. close(fd);
  267. return -1;
  268. }
  269. /** Close the keypinning journal file. */
  270. int
  271. keypin_close_journal(void)
  272. {
  273. if (keypin_journal_fd >= 0)
  274. close(keypin_journal_fd);
  275. keypin_journal_fd = -1;
  276. return 0;
  277. }
  278. /** Length of a keypinning journal line, including terminating newline. */
  279. #define JOURNAL_LINE_LEN (BASE64_DIGEST_LEN + BASE64_DIGEST256_LEN + 2)
  280. /** Add an entry to the keypinning journal to map <b>rsa_id_digest</b> and
  281. * <b>ed25519_id_key</b>. */
  282. static int
  283. keypin_journal_append_entry(const uint8_t *rsa_id_digest,
  284. const uint8_t *ed25519_id_key)
  285. {
  286. if (keypin_journal_fd == -1)
  287. return -1;
  288. char line[JOURNAL_LINE_LEN];
  289. digest_to_base64(line, (const char*)rsa_id_digest);
  290. line[BASE64_DIGEST_LEN] = ' ';
  291. digest256_to_base64(line + BASE64_DIGEST_LEN + 1,
  292. (const char*)ed25519_id_key);
  293. line[BASE64_DIGEST_LEN+1+BASE64_DIGEST256_LEN] = '\n';
  294. if (write_all(keypin_journal_fd, line, JOURNAL_LINE_LEN, 0)<0) {
  295. log_warn(LD_DIRSERV, "Error while adding a line to the key-pinning "
  296. "journal: %s", strerror(errno));
  297. keypin_close_journal();
  298. return -1;
  299. }
  300. return 0;
  301. }
  302. /** Load a journal from the <b>size</b>-byte region at <b>data</b>. Return 0
  303. * on success, -1 on failure. */
  304. STATIC int
  305. keypin_load_journal_impl(const char *data, size_t size)
  306. {
  307. const char *start = data, *end = data + size, *next;
  308. int n_corrupt_lines = 0;
  309. int n_entries = 0;
  310. int n_duplicates = 0;
  311. int n_conflicts = 0;
  312. for (const char *cp = start; cp < end; cp = next) {
  313. const char *eol = memchr(cp, '\n', end-cp);
  314. const char *eos = eol ? eol : end;
  315. const size_t len = eos - cp;
  316. next = eol ? eol + 1 : end;
  317. if (len == 0) {
  318. continue;
  319. }
  320. if (*cp == '@') {
  321. /* Lines that start with @ are reserved. Ignore for now. */
  322. continue;
  323. }
  324. if (*cp == '#') {
  325. /* Lines that start with # are comments. */
  326. continue;
  327. }
  328. /* Is it the right length? (The -1 here is for the newline.) */
  329. if (len != JOURNAL_LINE_LEN - 1) {
  330. /* Lines with a bad length are corrupt unless they are empty.
  331. * Ignore them either way */
  332. for (const char *s = cp; s < eos; ++s) {
  333. if (! TOR_ISSPACE(*s)) {
  334. ++n_corrupt_lines;
  335. break;
  336. }
  337. }
  338. continue;
  339. }
  340. keypin_ent_t *ent = keypin_parse_journal_line(cp);
  341. if (ent == NULL) {
  342. ++n_corrupt_lines;
  343. continue;
  344. }
  345. const int r = keypin_add_or_replace_entry_in_map(ent);
  346. if (r == 0) {
  347. ++n_duplicates;
  348. } else if (r == -1) {
  349. ++n_conflicts;
  350. }
  351. ++n_entries;
  352. }
  353. int severity = (n_corrupt_lines || n_duplicates) ? LOG_WARN : LOG_INFO;
  354. tor_log(severity, LD_DIRSERV,
  355. "Loaded %d entries from keypin journal. "
  356. "Found %d corrupt lines, %d duplicates, and %d conflicts.",
  357. n_entries, n_corrupt_lines, n_duplicates, n_conflicts);
  358. return 0;
  359. }
  360. /**
  361. * Load a journal from the file called <b>fname</b>. Return 0 on success,
  362. * -1 on failure.
  363. */
  364. int
  365. keypin_load_journal(const char *fname)
  366. {
  367. tor_mmap_t *map = tor_mmap_file(fname);
  368. if (!map) {
  369. if (errno == ENOENT)
  370. return 0;
  371. else
  372. return -1;
  373. }
  374. int r = keypin_load_journal_impl(map->data, map->size);
  375. tor_munmap_file(map);
  376. return r;
  377. }
  378. /** Parse a single keypinning journal line entry from <b>cp</b>. The input
  379. * does not need to be NUL-terminated, but it <em>does</em> need to have
  380. * KEYPIN_JOURNAL_LINE_LEN -1 bytes available to read. Return a new entry
  381. * on success, and NULL on failure.
  382. */
  383. STATIC keypin_ent_t *
  384. keypin_parse_journal_line(const char *cp)
  385. {
  386. /* XXXX assumes !USE_OPENSSL_BASE64 */
  387. keypin_ent_t *ent = tor_malloc_zero(sizeof(keypin_ent_t));
  388. if (base64_decode((char*)ent->rsa_id, sizeof(ent->rsa_id),
  389. cp, BASE64_DIGEST_LEN) != DIGEST_LEN ||
  390. cp[BASE64_DIGEST_LEN] != ' ' ||
  391. base64_decode((char*)ent->ed25519_key, sizeof(ent->ed25519_key),
  392. cp+BASE64_DIGEST_LEN+1, BASE64_DIGEST256_LEN) != DIGEST256_LEN) {
  393. tor_free(ent);
  394. return NULL;
  395. } else {
  396. return ent;
  397. }
  398. }
  399. /** Remove all entries from the keypinning table.*/
  400. void
  401. keypin_clear(void)
  402. {
  403. int bad_entries = 0;
  404. {
  405. keypin_ent_t **ent, **next, *this;
  406. for (ent = HT_START(rsamap, &the_rsa_map); ent != NULL; ent = next) {
  407. this = *ent;
  408. next = HT_NEXT_RMV(rsamap, &the_rsa_map, ent);
  409. keypin_ent_t *other_ent = HT_REMOVE(edmap, &the_ed_map, this);
  410. bad_entries += (other_ent != this);
  411. tor_free(this);
  412. }
  413. }
  414. bad_entries += HT_SIZE(&the_ed_map);
  415. HT_CLEAR(edmap,&the_ed_map);
  416. HT_CLEAR(rsamap,&the_rsa_map);
  417. if (bad_entries) {
  418. log_warn(LD_BUG, "Found %d discrepencies in the the keypin database.",
  419. bad_entries);
  420. }
  421. }